Why do new MacBooks ship with the firewall off by default?

I just got a new MacBook Pro. It’s the fifth one I’ve had since 2005, and as usual the hardware is gorgeous, and migrating from the old laptop was a breeze.

But there’s one thing that boggles my mind about the default system configuration…

…the firewall is off by default. It was off by default on my previous MacBook Pro too. (I have a short file describing the steps I took when migrating to the old laptop, and “Security & Privacy: turn on firewall(!)” was one.)

My wife bought a MacBook Air a couple of months and I just checked and the firewall is disabled on it, too.

I admit I am not a world-class expert on matters of network security. Is this totally insane and negligent, or is there something I’m missing?

10 Responses to Why do new MacBooks ship with the firewall off by default?

The average application should not be listening on any ports to begin with. I’d hope the out-of-the-box configuration has few if any listening ports (probably just mDNS service discovery). And a client firewall tends to have one of two properties: either it makes it a pain to run applications that legitimately listen on a port, or it automatically gets a hole poked in it by any application that wants to listen on a port. The former is obnoxious and not user-friendly (leading to many “why does my application not work” issues), and the latter is pointless complexity.

“Personal firewalls” are snake oil. You cannot protect a vulnerable machine by running more software on it, only by running less software. Any malicious traffic has already reached the machine, so all you can do is run extra software – which has its own attack surface – which breaks networking in attempt to prevent the malicious traffic from reaching the attack surface of some other software. All that really does is make your computer work worse. The only way to actually firewall a machine is to prevent the malicious traffic from reaching it at all, which means a real firewall must be a separate device physically placed on the network in front of the machine that is to be protected. If that device is specialised enough to be fully auditable (a pipe dream nowadays) then it can actually shrink the total attack surface of the network.

You are right to some extent, but it assumes a static computer. We have a notebook here, so it is possible the author (or his wife) gets to Starbucks or some other kind of wilderness. And yes, you are right that the best defense is not having any superfluous services running in the first place.

I don’t agree with people up here. I understand that the best is that no application listen to any port until really required but you can’t check every software for open ports… It can work also as a warning: “Hey, this software wants to open a port to the internet? Did you know?”. And if someone need to open a port, like running a server or a P2P application I suppose it can open the required port on the firewall and set port forwarding on the router. Also it can be useful to deny outgoing connection to some program. For example I don’t like programs that sends statistics about usage…
This is general, not Mac related.

1. Users have no way of knowing how much attack surface an app’s listening adds, or of knowing what app features require listening. Firewall requests just add to annoyance and security dialog fatigue.

2. Apps that want to “just work” have ways around the firewall. Apps can make other apps connect on their behalf (because desktop OSes lack inter-app protection). P2P apps regularly punch holes in NAT firewalls. When that doesn’t work, they “listen” using outgoing connections, which just adds complexity and wastes the bandwidth of nodes that aren’t behind firewalls.

I have the Win7 firewall enabled and it’s a nightmare. The firewall dialog regularly pops up *behind* applications (especially games) while preventing them from working.

What boggles my mind is why Mac doesn’t have a decent or unified application-update system.

* App Store uses the same message regardless of whether the update is disruptive or not (e.g. requires restarting a running app or the OS).

* Sparkle updates apps with a dialog on launch, which is the worst possible time: either right when I’m trying to use the app, or right after an out-of-date version has been exploited through a file-type or protocol association.

* Brew has to be run manually.

* Steam games update when Steam is running, logged in, and NOT being used to play any other game.

Simple Internal Firewalls (as opposed to IDSs, firewalls on a different machine, etc.) are mostly about dealing with stupid applications that think its fine to listen on a port and accept commands. Actually, they are a very good solution to this problem – these ports become unreachable from the outside until one already got in (and often with these machines, if you already got in then you don’t need to access these ports). Generally, I prefer that applications don’t accepts commands on various ports for no good reason.

I’ll note that this is the case both on personal computers and servers – stupid applications (e.g. the default configuration of PostgreSQL) exist everywhere.